[Opendnssec-develop] *blush* The experts agree. CKA_ID it is.
Roy Arends
roy at nominet.org.uk
Thu Mar 12 17:45:31 UTC 2009
I've discussed the issue with David Miller and Dr Stephen N Henson.
It seems that there is indeed much confusion in the field about CKA_ID's
and CKA_LABELs. As an example, there exist pkcs11 libraries that will
promiscuously match CKA_ID's while the search template specifies CKA_LABEL
and vice versa. On the uniqueness of identifiers they advised that we
can't uniquely assign identifiers per object, since some objects need to
match other objects. In our case, we need to match CKO_PRIVATE_KEY with
CKO_PUBLIC_KEY. Two different, independent objects from a PKCS11
perspective, though they need to be matched. For that purpose, we need to
have CKA_ID to match the two, hence they need to be equal. So the uniquely
identifiable pragma holds only for CKO_PRIVATE_KEY and CKO_PUBLIC_KEY
Pairs. There are some implementations that ignore CKA_ID, and some that
ignore CKA_LABEL. Even to the point that the attribute is present, but
can't be used for C_FindObjects.
Another issue is that often CKA_LABEL needs to be non-empty, as there are
some applications that use the empty CKA_LABEL to match all objects for a
certain purpose. Their conclusion is to be pragmatic. Though the theory is
that CKA_LABEL can well be used for searching, CKA_ID needs to be present
anyway to match the private object with the public object. Hence forcing
the use of CKA_LABEL is overkill.
So it seems that the experts (rick, roland, david and steve) agree. I'll
step off my high-horse and conform. CKA_ID it is. Next time we meet
(RIPE?) , beer is on me, to compensate for the wasted time. (Rick, lets do
that soon).
That leaves us with the encoding. do we put a string like
"254F9220-7B9C-4386-ABC2-F8230E3843B3" in the CKA_ID or do we put the 128
bit value in the CKA_ID. There is no restriction here, other than the
requirement of the signer for translating the 128 bit value to UUID when
we decide to store the 128-bit value. (the translation does not need to be
done in the signer when we use the UUID overall).
We still need the CKA_LABEL to be non-empty. I'll just put "OpenDNSSEC
DNSKEY" in there, unless told otherwise.
Thanks,
Regards,
Roy Arends
Sr. Researcher
Nominet UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090312/c478e88c/attachment.htm>
More information about the Opendnssec-develop
mailing list